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This application is submitted in the name of inventors Gregory Weber and 
Laurence Grant, both assignors to Cisco Technology, Inc., a California 
Corporation. 



Field of the Invention 

The present invention relates to the field of network communications. 
More specifically, the present invention relates to authorizing individual 
15 commands in the Remote Authentication Dial In User Server (RADIUS) protocol. 



The Background 

The Remote Authentication Dial In User Server (RADIUS) protocol is an 
access control protocol used to provide Authentication, Authorization, and 
20 Accounting (AAA) services for various network devices, but especially for 



Network Access Servers (NASes). Most service providers utilize RADIUS, and it 
is also used commonly in the Enterprise market. 

In RADIUS, when a client initiates a call to a NAS, username and 
25 password information is collected. This username and password information is 
then forwarded to a central AAA server. A single transaction with the server is 
used to both authenticate and authorize the user. A session may then be initiated. 
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SPECIFICATION 



COMMAND AUTHORIZATION VIA RADIUS 
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BACKGROUND OF THE INVENTION 
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A session is an active connection between two devices. During the rest of the 
session, the user then may initiate commands, and accounting records may be sent 
to the AAA server indicating the beginning and end of the client session. 



AAA server. This would allow routers or NASes that are accessed by many 
different administrators performing different functions to operate more efficiently 
and securely. The RADIUS protocol does not currently support this type of 
command authorization. The Terminal Access Controller Access Control System 

10 (TACACS+) is an access control protocol that offers command authorization. 

TACACS+ is based on the Transmission Control Protocol (TCP) and provides for 
a transmission from the network device receiving the command to the AAA server 
to request authorization to execute the command. The AAA server then may 
access a stored profile to determine if the user has authorization to perform the 

1 5 command. Then the AAA server may send a transmission back to the network 
device via TACACS+ indicating the results of the determination regarding 
authorization. 

This solution, however, has several drawbacks. First, each individual 
20 command must be authorized. This involves sending a request to the AAA server 
and waiting to receive a response each time a network device receives a command 
from a user, causing additional delays in authorizing commands. Also since 
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A need exists, however, for individual commands to be authorized by an 
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TACACS+ is based on TCP, a total of 8 packets must be transmitted back and 
forth between the network device and the AAA server each time a command is 
authorized, causing additional network traffic. 

Additionally, RADIUS is much more commonly used than TACACS+. 
Accordingly, a need exists for a way to implement command authorization in the 
RADIUS protocol. 
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SUMMARY OF THE INVENTION 



Command authorization may be accomplished using the RADIUS protocol 
by providing a user profile on the server for each user. This user profile may be 
transferred to a network device, such as a NAS, when the user initiates a RADIUS 
5 session. It may be stored in a local cache and accessed each time the user attempts 
to execute a command. The user profile may contain a command set defined by 
regular expressions, which are used in pattern matching which can then be used to 
determine whether or not the command should be authorized. The command may 
then be authorized or rejected based on the results of this determination. After the 
10 session is completed, the user profile may be purged from the cache. The present 
invention allows for a dramatic savings in the traffic and execution time associated 
with command authorization and allows command authorization to be 
accomplished using the RADIUS protocol, which increases flexibility. 
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BRIEF DESCRIPTION OF THE DRAWINGS 



FIG. 1 is a flow diagram illustrating a method for authorizing a command 
from a user in a network device in accordance with a specific embodiment of the 
present invention. 



FIG. 2 is a diagram illustrating an example of a user profile in accordance 
with a specific embodiment of the present invention. 

FIG. 3 is a block diagram illustrating an apparatus for authorizing a 
10 command from a user in a network device in accordance with a specific 
embodiment of the present invention. 

FIG. 4 is a block diagram illustrating a network device in accordance with a 
specific embodiment of the present invention. 
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DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT 



In the following description, a preferred embodiment of the invention is 
described with regard to preferred process steps and data structures. However, 
5 those skilled in the art will recognize, after perusal of this application, that 
embodiments of the invention may be implemented using at least one general 
purpose computer operating under program control and/or using a program storage 
device, and that modification of the general purpose computer to implement the 
components, process steps, and/or data structures described herein would not 
1 0 require undue invention. 



In accordance with a specific embodiment of the present invention, the 
components, process steps, and/or data structures are implemented using software 
running on a network access server or other network device, such as a Cisco™ 

1 5 Gigabit Switch Router or a Cisco™ Universal Access Server. This implementation 
is not intended to be limiting in any way. Different implementations may be used 
and may include other types of operating systems, computing platforms, and/or 
computer programs. In addition, those of ordinary skill in the art will readily 
recognize that devices of a less general purpose nature, such as hardwired devices, 

20 devices relying on FPGA (field programmable gate array) or ASIC (application 
specific integrated circuit) technology, or the like, may also be used without 
departing from the scope and spirit of the inventive concepts disclosed herewith. 
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The present invention provides for command authorization in the RADIUS 
protocol by storing a user profile in a cache or memory at a network device, such 
as a NAS. This user profile is transmitted from the AAA server to the NAS when 
5 a RADIUS session is begun. Thereafter, any command issued by the user is first 
checked against a record in the user profile. The record contains information as to 
which commands the user is authorized to execute. The NAS may then determine 
whether to authorize the command based on the information in the record. When 
the session is completed, the user profile may be purged from the cache. This 
10 solution allows for command authorization via the RADIUS protocol without 
having to send packets to the AAA server each time a command is issued. 
Additionally, since RADIUS does not use TCP, the transmission between the 
AAA server and the NAS at the beginning of the session uses fewer packets than 
even a single command authorization in TACACS+. 

15 

FIG. 1 is a flow diagram illustrating a method for authorizing a command 
from a user in a network device in accordance with a specific embodiment of the 
present invention. At 100, a RADIUS session is initiated between the user and the 
network device. In a specific embodiment of the present invention, the network 
20 device is a NAS. At 102, a user profile for the user is received from an AAA 

server, the user profile containing information regarding which commands the user 
is authorized to execute. The user profile may take many different forms. In a 
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specific embodiment of the present invention, the user profile contains a command 
set described by regular expressions. FIG. 2 is a diagram illustrating an example 
of a user profile in accordance with a specific embodiment of the present 
invention. A user name 200 may identify the user (here, operl). A password 202 
5 may indicate the user's password, which may be checked when establishing the 
session. A command set that the user is authorized to issue may be defined by one 
or more Basic or Extended Regular Expressions as defined by IEEE PI 003.2. A 
series of attribute value pairs (AVPairs) 204, 206, 208 define the regular 
expressions for the command set. A regular expression is any simple expression 

10 that can be handled by a finite automaton. Generally, regular expressions may 
resemble broad set definitions (e.g., "run .*" indicating that all commands 
beginning with the word "run" are part of the set) or definitions using boolean 
operators on sets (e.g., set a + set b). In RADIUS, the AVPairs may be used to 
hold the expressions defining an authorized command set. AV Pair 204 indicates 

15 that the user may execute any show command, while AVPair 208 indicates that the 
user may execute any ping command. AVPair 206 indicates that the user may 
execute a telnet command, but only may telnet to IP addresses beginning with 
"10.14.0." 



20 Referring back to FIG. 1, at 104, the user profile may be stored in a cache. 

This cache may be local to the NAS or network device. This will allow access to 
the user profile without having to reestablish contact with the AAA server. At 
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106, the command is received from the user. Since the network device may be a 
NAS, or may be any other network device, the type and format of the available 
commands may include any number of choices. At 108, it is determined whether 
the command is authorized based on the information in the user profile for the user 
5 stored in the cache. This may include comparing the command to a command set 
contained in the user profile. The command set may be a list of authorized 
commands, or alternatively, may be described by regular expressions. At 1 10, the 
command may then be authorized or rejected based on the results of the 
determining. If the NAS is configured to authorize individual commands, then 

10 this cached command set will be consulted whenever a command execution 
attempt is made. If the user has abbreviated the command in any way, it is first 
expanded to its foil form, then regular expression matching is performed against 
the cached command set definition. The command set may be cached for the 
remainder of the session, thus at 1 12, when the RADIUS session is terminated, the 

1 5 user profile may then be purged from the cache. 

FIG. 3 is a block diagram illustrating an apparatus for authorizing a 
command from a user in a network device in accordance with a specific 
embodiment of the present invention. A RADIUS session initiator 300 initiates a 
20 RADIUS session between the user and the network device. In a specific 

embodiment of the present invention, the network device is a NAS. A user profile 
receiver 302 coupled to the RADIUS session initiator 300 receives a user profile 
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for the user from an AAA server, the user profile containing information regarding 
which commands the user is authorized to execute. The user profile may take 
many different forms. In a specific embodiment of the present invention, the user 
profile contains a command set described by regular expressions. 



A user profile storer 304 coupled to the user profile receiver 302 and to a 
cache 306 stores the user profile for the user in a cache. This cache may be local 
to the NAS or network device. This will allow access to the user profile without 
having to reestablish contact with the AAA server. A command receiver 308 
receives the command from the user. Since the network device may be a NAS, or 
may be any other network device, the type and format of the available commands 
may include any number of choices. An authorized command determiner 310 
coupled to the command receiver 308 and to the cache 306 determines whether the 
command is authorized based on the information in the user profile for the user 
stored in the cache. This may include comparing the command to a command set 
contained in the user profile using a command set comparer 312. The command 
set may be a list of authorized commands, or alternatively, may be described by 
regular expressions. A command authorizer 3 14 coupled to the authorized 
command determiner 310 may then be authorized or rejected based on the results 
of the determining. A user profile purger 316 coupled to the cache 306 may then 
purge the user profile when the RADIUS session is terminated. 
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FIG. 4 is a block diagram illustrating a network device in accordance with a 
specific embodiment of the present invention. Network Device 400 contains a 
processor 402, for executing instructions. A program storage device 404 may hold 
software containing instructions for executing the present invention. A memory 
5 store 406, such as random-access memory (RAM) may be utilized to temporarily 
store the instructions from the program storage device. 

By utilizing the RADIUS protocol to perform command authorization, the 
present invention allows individual commands from users to be independently 
10 authorized or rejected while minimizing the traffic load on the system. This 

invention may also have specific usefulness in the burgeoning field of enterprise 
networking, where there are currently many users of TACACS+ who might be 
better off utilizing a RADIUS-based system. 



15 While embodiments and applications of this invention have been shown 

and described, it would be apparent to those skilled in the art having the benefit of 
this disclosure that many more modifications than mentioned above are possible 
without departing from the inventive concepts herein. The invention, therefore, is 
not to be restricted except in the spirit of the appended claims. 
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